How Private Are Personal Emails Sent Via Employer Computers?
FindLaw columnist Eric Sinrod writes regularly in this section on legal developments surrounding technology and the internet.
In this day and age, practically everyone communicates electronically often and for a multitude of reasons. This of course, is true in the workplace. While employees communicate by email for work-related reasons, it is not uncommon for them also to send emails relating to personal matters.
Employers frequently put in place and have employees execute employee email privacy policies. These policies provide that emails sent and received by employees on computer equipment provided by employers are not private and are subject to proper employer review.
But does that always hold true? Not necessarily, at least according to the New Jersey Supreme Court based upon the facts of one particular recent case.
In the case of Stengart v. Loving Care Agency, Inc., the New Jersey Supreme Court was called upon to answer the unique question as to whether an employee could expect privacy and confidentiality in emails between herself and her attorney that were sent and received through her personal, password-protected, email account while using a laptop computer provided by her employer for company business. From the laptop, the employee could send emails from her company email account. She also could access the Internet from the employer's server. The employee was not aware that the browser software automatically saved a copy of each Web page she viewed on the laptop's hard drive in a cache folder of temporary Internet files.
The employee ultimately used the laptop to access a personal, password-protected email account on the Yahoo Web site. Through that account, she communicated with her attorney about issues she was having related to her employment. She did not save her Yahoo identification or password on the laptop. When she ceased her employment, she returned the laptop to the employer. She then filed an employment discrimination complaint against the employer based on the issues she felt that she had encountered at work.
As part of the litigation and in anticipation of discovery, the employer hired experts to create a forensic image of the laptop's hard drive; including the temporary Internet files. Those files contained the contents of certain emails that the employee had exchanged with her attorney using her Yahoo account. At the tail-end of the emails sent by the lawyer, there was language that stated that the information in the emails "is intended only for the personal and confidential use of the designated recipient" and that the emails may constitute "privileged and confidential" attorney-client communications.
The employer took the position in the litigation that the emails were fair game because the former employee had no reasonable expectation of privacy in files on a company-owned computer, especially based on the employer's electronics communications policy. That policy stated that the employer could review, access and disclose "all matters on the company's media systems and services at any time." The policy also provided that emails, Internet communications and computer files are deemed company business records and "are not to be considered private or personal" to employees. However, the policy also stated that "occasional personal use is permitted."
At the end of the day and based on the facts of this specific case, the New Jersey Supreme Court held that the employee could reasonably expect that her emails with her attorney through her personal, password-protected Yahoo account should remain private; and that just because she used a company laptop did not undermine that privacy expectation and the attorney-client privilege.
The Court reached this conclusion for various reasons, including the following: 1) the employer's policy did not specifically state that emails exchanged on personal, password-protected email accounts would be subject to monitoring if employer equipment were used; 2) the reference to review of matters on the employer's "media systems and services" was too vague; 3) the policy did not provide notice that the contents of personal emails stored on hard drives might be forensically retrieved and read; 4) while stating that emails "are not to be considered private or personal," the policy at the same time allowed "occasional personal use of email"; and 5) the lawyer's emails contained language stating that they were personal, confidential and possibly attorney-client communications.
The Court was clear in stating that "whether an employee has a reasonable expectation of privacy in a particular work setting must be addressed on a case-by-case basis." Here, the Court did not believe that a reasonable person in the employee's position would expect that her employer "would be watching over her shoulder as she opened emails from her lawyer on her personal, password-protected Yahoo account." The Court went on to note that while employers can enforce computer use polices "to protect the assets and productivity of a business, . . . they have no basis to read the contents of personal, privileged, attorney-client communications."
Indeed according to the New Jersey Supreme Court, even "a policy that provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal password-protected email account using the company's computer system, would not be enforceable."
So what are the take home messages from this case? For employers, they must be as explicit and specific as possible in terms of providing notice in their policies to employees as to how they may monitor the employee's electronic communications and the level of privacy. Hardly any employees can expect full privacy in their communications. However according to the New Jersey Supreme Court, notwithstanding all of the clear notice in the world, some monitoring still may not be permissible.
As far as employees, they should read and understand their employers' computer use policies. They should recognize that they indeed may have very little privacy in their electronic communications sent and received using employer computer equipment. When in doubt, they should send personal communications from their own personal equipment using their own private accounts. Of course, that is easier said than done. Employees spend long hours at work and on portable work equipment, and they may not always remember to separate their work and private lives - and some courts may, and some courts may not, find that to be reasonable on the facts of given cases.
- Email Security Policy: Why You Need One for Your Employees (FindLaw)
- Email Internet Policy: Why Your Small Business Needs One (FindLaw's Free Enterprise Blog)
- District Court Rules In Favor of Work Email Privacy (FindLaw's Law and Daily Life Blog)
Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP (http://www.duanemorris.com) where he focuses on litigation matters of various types, including information technology and intellectual property disputes. His Web site is http://www.sinrodlaw.com and he can be reached at email@example.com. To receive a weekly email link to Mr. Sinrod's columns, please send an email to him with Subscribe in the Subject line. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.
You Don’t Have To Solve This on Your Own – Get a Lawyer’s Help
Meeting with a lawyer can help you understand your options and how to best protect your rights. Visit our attorney directory to find a lawyer near you who can help.